Xbox.com Password Flaw May Be Behind Hacked Accounts
CREDIT: James Pfaff
The recent rash of hacks reported by Xbox Live gamers may be tied to a simple flaw on Microsoft's Xbox.com website that lets hackers easily crack customers' passwords and steal from their online gaming accounts.
The "Achilles Heel," as gaming website Analog Hype called it, is that Xbox.com allows Microsoft gamers to enter an incorrect Windows Live password eight times before Microsoft prompts them with a CAPTCHA code.
"When hackers get to that CAPTCHA code, there is a link for "try with another LIVE ID," Analog Hype explained. "Clicking this link resets the CAPTCHA code and hackers can continue to force their way in 8 more times before they need to click the link again."
This security lapse opens up a route of infiltration called "Brute force " hacking, by which attackers flood a target website with an automated onslaught of possible passwords. Since many people use common passwords such as "123456" and "password," it wouldn't take long to gather a large number of cracked accounts.
Once they obtained a target's password, the hacker(s) buy a Family Gold Pack, which allows them to "gift" Microsoft Points to designated accounts, the tech site Kotaku explained. From there, the culprits buy "a ton of Microsoft Points, set up new Xbox Live Gold accounts and siphon the points into these new accounts."
The fraudulent new accounts, loaded with tons of legitimate gaming points, are sold on underground cybercrime forums.
In an email to SecurityNewsDaily, a Microsoft spokesperson said, "Microsoft has seen no evidence of a security breach in our Xbox LIVE service. The online safety of Xbox LIVE members remains of the utmost importance, which is why we consistently take measures to protect Xbox LIVE against ever-changing threats."
The statement continued: "Security in the technology industry is an ongoing process, and with each new form of technology designed to deter attacks, the attackers try to find new ways to subvert it. We continue to evolve our security features and processes to ensure Xbox LIVE customers information is secure. Online fraud and identity theft are industry-wide problems, and as such people using any online services should set strong passwords, not share those passwords across multiple services and refrain from sharing any personal details that could leave them vulnerable. As always, we highly recommend our members follow the Xbox LIVE Account Security guidance provided at http://xbox.com/security to protect your account."
Jason Coutee, a network-infrastructure manager whose Xbox Live account was hacked in late 2010, discovered the security glitch. In October, Microsoft froze some Xbox Live accounts after people, Coutee included, reported their accounts were hacked and drained to purchase content packs for FIFA 12. Rather than wait for the 30-day freeze to thaw, Coutee decided to investigate on his own.